Our panel outline the measures you should take to ensure security in the cloud.
Be wary of anyone who isn’t transparent about where your data is
A genuine risk is where your data is. In some sectors, this can be critically important. You should be very wary of anyone who isn’t completely transparent about this, or who doesn’t at the very least give you the choice of which territory your data will be hosted in.
Also, don’t be afraid to ask questions and verify a partner’s credentials. Always ask for references, read the case studies, and make sure that they have appropriate and up-to-date accreditation for what you need, for instance ISO 9000 and ISO 27000.
The difference between your customer data being hosted on a trusted server in London and an unspecified basement in Guatemala might be just a click away.
Put your card payments through a level one compliant cloud solution
Putting your card payments through a level one compliant cloud-based solution can help you to be PCI DSS compliant.
This is because it de-scopes PCI DSS from all of your internal systems and processes. You will also find that it is your vendor’s business to keep up to date with the latest compliance standards.
With thanks to Luke Talbot, Product Marketing Manager at Azzurri
Encryption prevents thieves from accessing the data
There have been great advances in the solutions that encrypt stored voice recordings.
This means, even if someone were to attempt to steal a server, it would be useless as the encryption would prevent them from accessing the data.
The data centre should be central to any security considerations
The data centre, in particular its location and physical security, should be central to any security considerations.
This is because regulations and legal requirements can vary from country to country, which may result in businesses losing control of who has access to their data.
In terms of tight physical security, the best cloud data centres will have SAS70, type II-certification, so they are under surveillance through constant 24/7 monitoring, as well as being access controlled.
Hosted hybrid models offer the best of public and private cloud networks
Hosted hybrid models offer the best of both public and private cloud networks, as vendor-owned infrastructure is deployed on the company’s local network, and all data is kept on the premises.
This offers the required security, while the logic and routing is in the public cloud and at a public cloud price model.
With thanks to Dave Paulding, Regional Sales Director for UK and Middle East at Interactive Intelligence
Check that your provider is protected from DDoS attacks
Check that your provider is protected from DDoS (distributed denial of service) attacks.
DDoS attacks are when hackers aim to shut down web services by flooding them with a vast amount of network traffic from different sources.
For those whose primary services are based in the cloud, DDoS attacks can come at an excruciating cost – time, money and custom can all be adversely affected by an attack.
With thanks to Gareth Pitts, VP Cloud Services, Moxie Software
Reputable cloud vendors have several back-up measures in place
A reputable cloud vendor will ensure the physical security of your data through the use of back-up power supplies and by working with a number of internet service providers.
You should also check that your data will be replicated in multiple locations, so in the case of a fire, flood or any other kind of disaster, you know your data will be safe.
Administrative controls will prevent access to certain files
Reputable cloud vendors will also have a number of measures in place to restrict access to your stored data.
- Firewalls and anti-virus detection software will be used on all of the devices used to store your data.
- Administrative controls will be in place, preventing access to certain files and ensuring only authorised personnel will be able to get hold of your data.
- Security audits will be undertaken by providers, where they will hire professional hackers to try and hack into their applications and to provide audit reports with their findings, to ensure no one unauthorised can gain access.
With thanks to Neil Titcomb, Sales Director Cloud UK & Ireland, Genesys
Reputable cloud providers will have a number of certifications
Reputable cloud providers will have a number of certifications.
- The SOC (Service Organisation Controls) auditing standard measures the control of internal financial information for a service organisation.
- ISO 27001 is an internationally recognised information security management system (ISMS) standard.
- The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard for organisations that deal with cardholder information for major debit and credit cards.
All data must be stored securely to ensure integrity
To comply with data privacy regulations as specified by the Data Protection Act 1988, EU customer data must be stored by your cloud provider in locations within the EU region.
All data must be securely stored to ensure integrity and comply with Data Protection legislation. Regular back-ups should be stored in multiple data sites to provide increased security. Customer data exports should be available any time on demand from the relevant data centre(s).
Ensure that communication between your site and the cloud is encrypted
Ensure that communication between your site and the cloud is encrypted, and that data is only accessible via secure industry standard protocols such as SSL/HTTPS.
In addition, employee user roles and authorisation must be in line with existing security policies, and user credentials must be stored in encrypted form.
You should also ensure that you make regular password changes, and that a minimum password length is specified.
With thanks to Chris Dealy, Sales Director at injixo
Check that your data is protected by several elements of physical security
Because your data resides in a network operations centre hosted by the vendor, verify that their data centre is protected by several elements of physical security.
These elements should include mantraps and surveillance cameras, as well as security staff with suitable background checks.
Ask if the vendor’s network is protected by multi-layer firewalls
Weak network security is one of the biggest threats to your corporate data, so ask if the vendor’s network is protected by multi-layer firewalls and intrusion-detection systems.
You should also ask how those systems are monitored, and if the vendor will proactively alert you of any tamper attempts.
Security must be an integral part of how your platform is designed
Security must be an integral part of how your potential platform vendor designed and built their contact centre technology, through every stage of the software development lifecycle rather than as an afterthought.
It should be thoroughly tested to prove that their solution adheres to – or exceeds – industry-standard security requirements.
With thanks to Richard Pinnington, Head of UK&I Marketing at LiveOps
Reputable cloud-based vendors implement cutting-edge technology
It pays to check that you are working with a reputable cloud-based vendor. This is because they implement the most cutting-edge technology, with security levels that are cost prohibitive to implement in a local, premise-based, solution.
For example, cloud vendors will often provide externally audited and accredited dedicated security that can usually surpass on-premise offerings.
In addition, data centres are likely to have a greater physical security level, such as biometrics and visual identification, than that which would be would likely be offered by an on-premise solution.
Make sure you are protected by the essential security features
Before moving across to the cloud, make sure you will be protected by the essential security features.
- Two-stage authentication
- Password strength rules being in place to ensure passwords are sufficiently strong and expire at a suitable interval
- Valid, authenticated security certificates should be used for all secure connections to prevent “man in the middle” or redirection attacks
- Business continuity plan and SLA that matches your SLAs with your clients.
- Integrated PCI compliance.
Make sure there is an effective DR solution in place
Cloud vendors can offer a superior DR (Disaster Recovery) solution that is fully redundant, with complete disaster recovery and business continuity, delivered from multi-site locations.
For example, they should ensure that call plans or balance campaign calls are duplicated across nodes.
With thanks to James Sumner, Project Manager at Ultra Communications
All data should be duplicated to guard against component failure
All data should be duplicated to guard against component failure. For example, a call-recording service that records each call at least twice as it transits the network.
Stored audio files should then be replicated in real time, and back-ups stored in off-site data storage centres.
Multiple resilient connections ensure continued service delivery
Multiple resilient connections to telecoms operators ensure continued service delivery.
Your cloud vendor being an ISP in their own right, and floating a range of IP addresses across providers using BGP and HSRP standards, can also ensure high availability and automatic rerouting of customer traffic in the event of a failure with a single provider.
With thanks to David Ford, Managing Director at Magnetic North
Apply the same due diligence as you would with a premise-based solution
Many people are still wary about using the cloud. But the truth is, if you apply the same due diligence when investing in a cloud solution as you do with a premise-based solution, then you will be in very safe hands.
For example, ensure it is a reputable, established and proven vendor, and make sure they fully understand your requirements.
Always have the latest version of the solution
Cloud-solution providers continually invest huge sums in the very latest IT hardware and security systems to safeguard their data centres. This ensures that the services on offer are accompanied by the highest levels of protection and reliability.
It is therefore best practice to always have the latest version of the solution, because when they upgrade you are automatically upgraded too.
With thanks to Ofer Mosseri at NICE Systems